CyberWire Daily - Malibot info stealer is no coin miner. "Hermit" spyware. Fabricated evidence in Indian computers. FBI takes down botnet. Assange extradition update. Putting the Service into service learning.
Episode Date: June 17, 2022Malibot is an info stealer masquerading as a coin miner. "Hermit" spyware is being used by nation-state security services. Fabricated evidence is planted in Indian computers. The US takes down a crimi...nal botnet. The British Home Secretary signs the Assange extradition order. We wind up our series of RSA Conference interviews with David London from the Chertoff group and Hugh Njemanze from Anomali. And putting the Service into service learning. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/117 Selected reading. 'MaliBot' Android Malware Steals Financial, Personal Information (SecurityWeek) F5 Labs Investigates MaliBot (F5 Labs) Sophisticated Android Spyware 'Hermit' Used by Governments (SecurityWeek) Lookout Uncovers Android Spyware Deployed in Kazakhstan (Lookout) Police Linked to Hacking Campaign to Frame Indian Activists (Wired) U.S., partners dismantle Russian hacking 'botnet,' Justice Dept says (Reuters) Russian Botnet Disrupted in International Cyber Operation (US Attorney's Office, Southern District of California) Julian Assange: Priti Patel signs US extradition order (The Telegraph) AIVD disrupts activities of Russian intelligence officer targeting the International Criminal Court (AIVD) Alleged Russian spy studied at Johns Hopkins, won ICC internship (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash N2K, code N2K.
Malibot is an info stealer masquerading as a coin miner.
Hermit spyware is being used by nation-state security services.
Fabricated evidence is planted in Indian computers.
The U.S. takes down a criminal botnet.
The British Home Secretary signs the Assange extradition order.
We wind up our series of RSA Conference interviews with David London from the Chertoff Group
and Hugh Enggemans from
Anomaly and putting the service into service learning. From the CyberWire studios at Data
Tribe, I'm Dave Bittner with your CyberWire summary for Friday, June 16th, 2022.
Researchers at F5 Labs describe Malibot, an Android malware family capable of exfiltrating personal and financial information, Security Week reports.
F5 says the malware can often be found posing on fraudulent websites as popular cryptocurrency mining app The Crypto App,
but may also pose as a Chrome browser or other applications.
The malware's capabilities include support for web injections and overlay attacks,
the ability to run and delete applications,
the ability to steal cookies,
multi-factor authentication codes, text messages, and more.
Malibot was found to abuse the Android Accessibility API,
which permits it to perform actions without user interaction
and maintain itself on the
system.
The use of the accessibility API also allows for bypass of Google two-factor authentication,
as prompts can be validated through the infected device.
Malibot uses the same servers used to distribute Sality malware and shares a Russian IP address
with other malicious campaigns.
The primary targets of Malibot have so far been customers of Spanish and Italian banks,
but the malware could soon expand its geographical reach.
Researchers at Lookout have discovered a sophisticated Android spyware family,
Hermit, that appears to have been created to serve nation-state customers.
The spyware, currently in use by Kazakhstan's government against domestic targets,
has also been associated with Italian authorities in 2019
and at other times with an unknown actor in Syria's Kurdish region.
The researchers believe that the android spyware is being distributed through text messages
that claim to be from legitimate sources. And note that while an iOS version of the spyware exists,
researchers were unable to get a sample. The Android spyware is reported to support 25 modules
and 16 of them were able to be analyzed. Many of the modules collect different forms of data,
such as call logs, browser data, photos, and location, while others can exploit rooted devices
and make and redirect calls. Lookout security researcher Paul Schunk explained to Security Week
that the initial application is a framework with minimal surveillance capability,
but that it could fetch and activate modules as needed,
which allows for the application to fly under the radar
during the security vetting process.
Citing updated research by Sentinel-1,
Wired reports that police in Pune, India,
planted incriminating evidence in the computers of journalists,
activists, and academics,
evidence that was subsequently used to justify their arrest.
According to Wired, Sentinel-1 has connected the evidence-planting to activity it reported
in its February 2022 study of the Modified Elephant APT.
The report said,
The objective of Modified Elephant is long-term surveillance that at times concludes with the delivery of evidence,
files that incriminate the target in specific crimes prior to conveniently coordinated arrests.
The U.S. Attorney for the Southern District of California has announced the takedown of a Russian cybergang's botnet.
the takedown of a Russian cybergang's botnet. Working with partners in Germany, the Netherlands,
and the United Kingdom, the U.S. FBI seized RSOX, a criminal-to-criminal service that offered access to bots as proxies in the C2C underworld market. The U.S. attorney explained, once purchased,
the customer could download a list of IP addresses and ports associated with one or more of the botnet's
backend servers. The customer could then route malicious internet traffic through the compromised
victim devices to mask or hide the true source of the traffic. It is believed that the users
of this type of proxy service were conducting large-scale attacks against authentication
services, also known as credential stuffing,
and anonymizing themselves when accessing compromised social media accounts or sending
malicious emails, such as phishing messages. It costs RSOC's criminal clientele between $30
and $200 a day to route their traffic through the proxies. The Telegraph reports that British Home Secretary Priti Patel
today signed an order extraditing WikiLeaks impresario Julian Assange to the United States,
where he faces espionage charges. Mr. Assange's legal team intends to appeal the decision.
And finally, there's a spy story out of The Hague. The Netherlands General Intelligence and Security Service announced yesterday that they'd stopped a Russian GRU illegal from taking a position, an internship, with the International Criminal Court in The Hague.
AIVD gave a brief account of the legend the illegal had created as part of his cover. They say the Russian
intelligence officer purported to be Brazilian citizen Victor Muller Ferreira, born April 4th,
1989, when in fact his real name is Sergei Vladimirovich Cherkasov, born in September of
1985. Cherkasov used a well-constructed cover identity by which he concealed all his ties with
Russia in general and the GRU in particular. AIVD has published documents giving more details on the
legend. Some of them seem to have been written by Mr. Cherkasov himself. They tell a touching story
of a mildly hardscrabble life Senor Ferreira led growing up in Brazil,
a little bit global south, a bit of Horatio Alger,
and supplying what Gilbert and Sullivan would have called
merely corroborative detail intended to give artistic verisimilitude
to an otherwise bald and unconvincing narrative.
He was pained when the other kids called him Gringo because
they thought he looked German, for example. Gringo is typically reserved for anglophones,
but then English is a Germanic language, so maybe close enough for the playground.
Another fun fact, Senor Ferreira reminds himself that he likes clubbing only where they play trance
music. A detail, we confess,
would have screamed GRU hood to us, but then we don't get around much anymore.
The Washington Post notes that Mr. Cherkasov passed himself through the Johns Hopkins University
School of Advanced International Studies between 2018 and 2020, earning a master's degree with a
specialization in American foreign policy.
The Post also reports the general consensus as to why the GRU wanted to place him in the
International Criminal Court. They're interested in intelligence about war crimes investigations
Russia faces in the ICC. Setting up an illegal with an elaborate plausible legend is expensive and time-consuming,
and that the GRU thought this worthwhile suggests that they consider the ICC a target worth infiltrating.
Russian Foreign Minister Lavrov may protest that war crime stories are just Western fake news and Ukrainian provocations,
but the GRU knows better.
Ukrainian provocations, but the GRU knows better. The Johns Hopkins professor who wrote him a letter of recommendation is commendably frank about how he was gulled. He said, after the graduation,
he asked for a reference letter for the ICC. Given my research focus, it made sense. I wrote him a
letter, a strong one, in fact. Yes, me. I wrote a reference letter for a GRU officer. I will never get over this
fact. I hate everything about GRU, him, this story. I'm so glad he was exposed. The professor
shouldn't feel too bad. It's not his job to be a counterintelligence officer, after all, and
illegals have fooled the best. Congratulations to AIVD for smoking this one out.
The Dutch authorities sent him back to Brazil, by the way,
which seems a nice literal-minded ironic touch.
Let the aquarium pay for Mr. Cherkasov's passage home.
That is, if they want him back.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security, but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. to bypass your company's defenses is by targeting your executives and their families at home.
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home,
your company is at risk.
In fact, over one-third of new members discover
they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
David London is Managing Director of the Cybersecurity Practice at the Chertoff Group.
And at last week's RSA conference, he and I got together to discuss some of the trends he and his colleagues are tracking.
Within the government, there's often this kind of expectation around compliance, but we are finding that whether it's around the weaponization of supply chain, heightened expectations around, you know, reporting requirements and kind of oversight,
both from DHS as well as SEC, we know that our commercial clients are going to have to,
you know, comply and establish programs that enable, you know, an alignment to those
expectations. And so being here together, trying to talk the same language has been, I think,
you know, of importance to everyone and something that despite our ability to kind of
prove that we can work productively by Zoom allows, I think, a lot more face-to-face kind
of communication and rapport building and trust building. The conversations that you're having,
particularly on the policy side, what direction are you seeing things going there?
So I kind of alluded to some of these heightened expectations.
We work a lot on, particularly with our partner Synopsys,
one of the leading providers of software supply chain security,
on the issue of the weaponization of the supply chain.
And so the U.S. government has really doubled down
on software supply chain visibility,
transparency, and security through the executive order.
We're seeing that kind of promulgated through NIST
and through other organizations
of defining critical software,
establishing kind of core software supply chain
best practices, and kind of testing and validation.
And so organizations are struggling with that.
They're struggling with the level of technical debt
and how to wrap their arms around both their own custom code
and open source code, which 80% to 90% of all kind of code bases are based on.
And you look no further than obviously SolarWinds,
but also some of the more recent malware-less cyber extortion attempts by groups like Lapsus who have taken source code from some of the largest technology providers like Samsung, NVIDIA, and posted it onto the web, giving kind of breadcrumbs to adversaries to identify flaws, vulnerabilities that can then be used and have much broader blast radiuses. The customers that you're talking to, what sort of conversations are you having when it comes to
being prepared on the regulatory compliance side? So one of the things that we do a lot of is
cyber crisis exercises and war gaming. And because we don't think looking at sort of compliance or kind of regulatory
expectations in a vacuum is particularly helpful.
We all know compliance does not equal security.
And so as we kind of frame these issues around cyber crisis incident response planning and
management, some of those regulatory expectations come into play, but they're not, they're not viewed, you know, outside of overall
cybersecurity risk management best practices. So we're seeing a lot of demand signals for that,
particularly with what's happening with the Russia-Ukraine aggression.
Yeah. Where we originally saw somewhat mild kind of Russian activity. What we're seeing today is,
kind of Russian activity. What we're seeing today is, and Microsoft wrote a blog and a report on this, is kind of a broader focus around hybrid warfare, where you have kinetic attacks that are
coupled by disruptive cyber attacks. And thus far, that's been relatively isolated to the sort of Ukraine and Russian domain.
Right.
But given Russia's history,
given its nation state capabilities and trade craft,
we expect that there will be retaliatory attacks.
And so our clients, our organizations
are very focused on that
and looking at kind of black sky, dark sky events
that involve Russia or other
nation states. How do we respond? How do we identify an attack? How do we fulfill our kind
of legal and regulatory obligations? But I think more importantly to our clients, particularly
those in critical infrastructure, how do we continue to have steady state operations? How
do we build resilience into our program while also complying with regulatory expectations? But how are we achieving
a level of execution to our customers and our clients?
Is there overall a sense of optimism that we're in a good place in terms of meeting those goals?
I don't think you would talk to any cybersecurity expert. I think there's a level of
the work is never done. I do believe that there is a higher level of optimism with the level of
sort of coordination and information sharing that is occurring with government. I've worked in cyber
exercises and war gaming for about a decade and a half. And the constant complaint was,
we give you all the information,
we private sector, and we don't get anything back. We don't get anything enriched back. And so the latest law passed by Biden in March, this kind of CISA guidance on incident reporting within 72
hours, material incident reporting, ransomware events within 24 hours.
The private sector is expected to provide information, including threat tactics and behaviors. But in return, the U.S. government will be providing either on the classified side where possible or sanitized information on not just thank you very much,
just thank you very much, but here are some very specific ways you can protect your environment based on the threat activity and the sightings that we are observing within the environment.
And so I do think there's optimism there, but I also think given the weaponization of the supply
chain, you know, the nation state capabilities, the merging of nation state and financially
motivated capabilities has created just additional headwinds among our clients.
And there's also a resourcing concern.
And so particularly where you see some contraction
in the economy, particularly in the tech sector,
which we have observed to have significantly
growing security programs given their risk exposure,
they'll have to balance that
resourcing of their cybersecurity priorities against the priorities of their broader enterprise.
And, you know, we work a lot with organizations on building risk registers, and I think it kind of
puts in sharp relief the importance of building a kind of repeatable cyber risk management program
where you can take a risk and you can begin to quantify it based on your overall inherent risk to the organization,
the level of kind of countermeasures and residual risk you achieve and the impact of that attack
so that you can have some way of triaging all the many and growing risks within your organization
and kind of prioritize that resourcing. David London, thanks for joining us.
and kind of prioritize that resourcing.
David London, thanks for joining us.
There's a lot more to this conversation.
If you want to hear more, head on over to CyberWire Pro and sign up for Interview Selects,
where you get access to this and many more extended interviews.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and
ensuring your organization runs smoothly and securely. Visit ThreatLocker.com
today to see how a default deny approach can keep your company safe and compliant.
Hugh N. Jemanzi is president and CEO of security firm Anomaly.
At RSAC, he presented on the increasing and changing usage of intelligence to improve security. I caught up with Hugh Nijamzi for an overview of his presentation.
So basically, in the old days, people generated logs of everything. And those logs are all about
events that are happening on your system. Eventually, it became interesting to look at the originators of activities
and start assigning, if you will, reputations to them.
So in other words, these IP addresses correspond to a bad actor.
Maybe they use 20 different addresses that are associated with them.
Over time,
that evolves. Some of those become obsolete. Some new ones come into play. And so collecting that kind of information from researching activities that had already happened in the
past became a thing. It started to be referred to as threat intelligence.
And if you compare that to the real world,
it's like when you have break-ins in a house,
the burglar alarm can see the window break.
But if somebody gets arrested, you can start building a track record.
They go after safes, they go after TVs,
they tend to go in this neighborhood.
And so then a neighborhood watch can start to say we saw a suspicious character that's a known malicious entity in your neighborhood.
Matches the track record that we've seen with previous things.
Exactly. So that's really what threat intelligence is about, is a neighborhood watch. It's leveraging
the fact that we know somebody did something in the past
so we can infer what they're going to do.
It's kind of like if a terrorist tries to get on a plane without a knife,
how do you know they're a terrorist?
But if you have a watch list, then you can look at their ID and say,
well, this is a known person with a record of behavior.
Otherwise, you can only stop the guys that pack guns and knives in their rollerboards
to alert you. Right, right. So what is considered the state of the art these days when it comes to
threat intelligence? Well, there's different aspects to threat intelligence. So one is how
do you collect it? How do you research it? And then there's how do you use it? And where the
state of the art has been evolving most rapidly recently
is applications of threat intelligence.
So in other words, what can you do with it?
And a lot of the changes actually come from organizations,
typically large enterprise,
that are finding new applications of threat intelligence on a regular basis
and then sort of feeding that back into the community.
And for example, at Anomaly, we learn a lot from what people are doing with the threat intel that they're acquiring.
Now, threat intelligence can come from commercial firms that specialize in doing research and collecting intelligence.
It can come from communities that do it as a service to their peer groups.
It can come from things like ISACs, which are information sharing communities.
Right.
That share Threat Intel feeds, research feeds with their membership.
So as an organization, are those traditional things
that you mentioned earlier, like your logs,
are those all being fed into the collection of information
that's then used to form better threat intelligence?
That's a great question.
So those are actually two complementary sets of data.
So it's kind of like if you have a phone book,
that's all the people in the phone book, right?
And then when they do something,
when they drive through a toll booth,
when they go through airport security,
you compare them to that phone book,
but you also look at maybe their IDs,
their job description, et cetera.
And so the alerts and events
are what's being done on the network.
The threat intel is a list of who's who on the network.
And what you have to do is marry those two sets of data.
So the event activity is something
that's happening continuously on a daily basis.
A large organization could be collecting more than a billion logs per day,
maybe several billion logs per day.
On the threat intelligence side, that's like the little phone book
or the TSA no-fly page.
What you have to do is compare that list to the billions of events
that are happening every day and look for matches.
And so that's actually, the more Threat Intelligence expands, the harder it gets to do that.
So 10 years ago, we were looking at maybe 100,000 active indicators that people knew
about.
And a year later it was a million, a year later it was 10 million, it was 100 million. Now we have probably the largest single repository of threat intel in the world
and it's like 5 billion threat indicators. So it's a multiplication problem because if
you have a billion events and a thousand indicators, you have to make a trillion comparisons.
But if you have a billion indicators and a billion events, it's just mind-boggling.
And so that's the scope of the challenge today,
is doing what's known in database worlds as a join between
all the activity and all the known actors.
What is the spectrum of ways that people consume threat intelligence?
I would imagine different sizes, different types of organizations
integrated in different ways.
Absolutely.
So first of all, there's a variety of tools in a security operations center.
There's SIEMS.
SIEMS have, I would say, the largest appetite for threat intel.
So in other words, because SIMs are receiving activity log events
from all around your network, from your switches, your routers,
your hosts, in addition to security tools like firewalls, IDS, and so forth.
And so that's where people typically, if they're large enough to have a SIM
and a SOC, they typically direct threat intel to the SIM.
That's where the bulk of the activity happens.
But then they'll also send some to the firewall.
But firewalls are designed to have block lists,
and those lists are measured in thousands, not billions and millions.
So what people do is they filter down to a small set of intelligence
that they think is relevant to the firewall, send that to the firewall.
They send a bigger subset to the SIEM.
That's Hugh Njamsi from Anomaly.
Clear your schedule for you time with a handcrafted espresso beverage from Starbucks.
Savor the new small and mighty Cortado.
Cozy up with the familiar flavors of pistachio.
Or shake up your mood with an iced brown sugar oat shaken espresso.
Whatever you choose, your espresso will be handcrafted with care at Starbucks.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out
this weekend's Research Saturday
and my conversation
with Extra Hops Edward Wu.
We're discussing a technical analysis
of how Spring for Shell works. That's Edward Wu. We're discussing a technical analysis of how Spring
for Shell works. That's Research Saturday. Check it out. The CyberWire podcast is proudly produced
in Maryland out of the startup studios of DataTribe, where they're co-building the next
generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand,
Liz Ervin, Elliot Peltzman, Trey Hester, Brandon Karp, Eliana White, Puru Prakash, Justin Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Vilecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week. Thank you. impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.